Most of the email accounts that I see get "hacked" to send spam were victoms of phishing attacks.
I actually have been seeing this more often lately and the best thing to do is look for wierd IPs in the audit.log and to grep through the output of zmprob gaa -v to look for wierd reply to addresses and forwarding addresses

After spending a few hours looking over various system some of our users did fall victim to a phishing attack. What gave it away was all the rejects on our SMTP servers. Another sign was that our Groupwise box was hit too.

Okay, so what was the the phishing attack ? Did they pretend to be from your support team to get login credentials ? It appears to be a very targeted attack, especially as they got your users email addresses.

Okay, so what was the the phishing attack ? Did they pretend to be from your support team to get login credentials ? It appears to be a very targeted attack, especially as they got your users email addresses.